Azure ActiveDirectory Graph API GraphClient not returning AD Groups

Question

I want to retrieve a User's Group information from Azure AD.

Using the following Graph API packages to achieve this

• Microsoft.Azure.ActiveDirectory.GraphClient
• Microsoft.IdentityModel.Clients.ActiveDirectory 2.13.112191810

I am able to successfully retrieve Users information from the Azure Graph API.

But when I run this method to retrieve a User's groups, Fiddler shows a successful HTTP 200 response with JSON fragment containing group information however the method itself does not return with the IEnumerable.

IEnumerable<string> groups = user.GetMemberGroupsAsync(false).Result.ToList();

The code doesn't seem to return from this async request.

The resulting experience is blank page while the authentication pipeline gets stuck.

Full code

public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        if (!incomingPrincipal.Identity.IsAuthenticated == true &&
            _authorizationService.IdentityRegistered(incomingPrincipal.Identity.Name))
        {
            return base.Authenticate(resourceName, incomingPrincipal);
        }

        _authorizationService.AddClaimsToIdentity(((ClaimsIdentity) incomingPrincipal.Identity));

        Claim tenantClaim = incomingPrincipal.FindFirst(TenantIdClaim);

        if (tenantClaim == null)
        {
            throw new NotSupportedException("Tenant claim not available, role authentication is not supported");
        }

        string tenantId = tenantClaim.Value;
        string authority = String.Format(CultureInfo.InvariantCulture, _aadInstance, _tenant);
        Uri servicePointUri = new Uri("https://graph.windows.net");
        ClientCredential clientCredential = new ClientCredential(_clientId, _password);

        AuthenticationContext authContext = new AuthenticationContext(authority, true);
        AuthenticationResult result = authContext.AcquireToken(servicePointUri.ToString(), clientCredential);
        Token = result.AccessToken;

        ActiveDirectoryClient activeDirectoryClient =
            new ActiveDirectoryClient(new Uri(servicePointUri, tenantId),
                async () => await AcquireTokenAsync());

       IUser user = activeDirectoryClient
           .Users
           .Where(x => x.UserPrincipalName.Equals(incomingPrincipal.Identity.Name))
           .ExecuteAsync()
           .Result
           .CurrentPage
           .ToList()
           .FirstOrDefault();

        if (user == null)
        {
            throw new NotSupportedException("Unknown User.");
        }          

       IEnumerable<string> groups = user.GetMemberGroupsAsync(false).Result.ToList();


        return incomingPrincipal;
    }

Answer 1

I have the same problem. My code is working after changing it according to documentation https://github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet

        IUserFetcher retrievedUserFetcher = (User) user;
        IPagedCollection<IDirectoryObject> pagedCollection = retrievedUserFetcher.MemberOf.ExecuteAsync().Result;
        do {
            List<IDirectoryObject> directoryObjects = pagedCollection.CurrentPage.ToList();
            foreach (IDirectoryObject directoryObject in directoryObjects) {
                if (directoryObject is Group) {
                    Group group = directoryObject as Group;
                    ((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(
                        new Claim(ClaimTypes.Role, group.DisplayName, ClaimValueTypes.String, "GRAPH"));
                }
            }
            pagedCollection = pagedCollection.GetNextPageAsync().Result;
        } while (pagedCollection != null && pagedCollection.MorePagesAvailable);